AgileCCPMGet Started

Data Protection Addendum for AITOC,Inc DBA AgileCCPM Applications on Atlassian Marketplace

This Data Processing Addendum ("DPA") is incorporated into and supplements the End User License Agreement (hereinafter EULA), Privacy Policy, or any other agreement in effect between AITOC, INC dba AgileCCPM ("Provider") and the customer or organization **("Customer")** governing the Customer's use of Provider's products, services, and related support or advisory services (the "Agreement").


This DPA automatically applies when your organization accepts the EULA, and no separate signature is required. By adopting this approach, your organization will also benefit from any updates or improvements made to this DPA over time.


If your organization requires a mutually executed copy for its records, contact as at info@agileccpm.com.


By agreeing to this DPA, the Provider and the Customer agree to be bound by the terms of the Bonterms Data Protection Addendum (Version 1.0), which is incorporated herein by reference and is available at https://bonterms.com/forms/data-protection-addendum-v1/.


This DPA encompasses its defined terms, Key Terms, Schedules, and any Additional Terms outlined below. All capitalized terms not explicitly defined in this DPA shall have the meaning assigned to them in the Bonterms Data Protection Addendum.

Key Terms

Agreement

This Data Processing Addendum (DPA) is an Attachment to the Agreement between the Provider and the Customer, as identified below:

  1. AITOC, INC dba AgileCCPM, a corporation organized under the laws of the State of Delaware, United States, with its principal place of business at 17657 Candlewood Terrace, Boca Raton, FL 33487, USA (hereinafter referred to as “AgileCCPM”); and
  2. The Customer, an organization that has accepted the terms of the End User License Agreement (EULA) (hereinafter referred to as “Customer”).

DPA Effective Date

This DPA becomes effective immediately upon the Customer's acceptance of the EULA.

Subprocessor List

The following entities are authorized as subprocessors under this DPA:

  • Atlassian

Schedules

Schedule 1: Subject Matter and Details of Processing

Customer ("Data Exporter") Details:

  • Name: ____________________________________
  • Contact Details for Data Protection: ____________________________________
  • Main Address: ____________________________________
  • Customer Activities: ____________________________________
  • Role: Controller

Provider ("Data Importer") Details:

  • Name: AITOC, INC dba AgileCCPM
  • Contact Details for Data Protection: info@agileccpm.com
  • Main Address: 17657 Candlewood Terrace, Boca Raton, FL 33487, USA
  • Provider Activities: Provision of services and products under the Agreement, including related support and advisory services
  • Role: Processor

Details of Processing:

  • Categories of Data Subjects: Employees, contractors, customers, or other individuals whose data is provided by the Customer for processing
  • Categories of Customer Personal Data: Names, project management data, and other information provided during the use of services or apps
  • Sensitive Categories of Data (if applicable): None
  • Frequency of Transfer: Continuous, as required for the performance of the Agreement
  • Nature of the Processing: Collection, storage, analysis, and other processing activities necessary to provide services under the Agreement
  • Purpose of the Processing: Provision of products and services under the Agreement, including customer support and performance optimization
  • Duration of Processing / Retention Period: For as long as necessary to fulfill the purposes outlined in this DPA or as required by applicable law
  • Transfers to Subprocessors: Atlassian is the only suprocessor Provider is tansfering data to

Schedule 2: Technical and Organizational Measures

The Provider shall maintain appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Customer Personal Data, including but not limited to:

  1. Access Control:

    • Restriction of access to authorized personnel based on the principle of least privilege
    • No data egress from Atlassian
    • Data residency in alignment with the Atlassia host product

  2. Data Encryption:

    • Encryption of data in transit (e.g., TLS/SSL) and at rest using industry-standard encryption protocols

  3. Physical Security:

    • Environmental controls and monitoring

  4. Incident Response:

    • Implementation of an incident response plan to detect, mitigate, and report data breaches promptly

  5. Data Minimization and Retention Policies:

    • Limiting data processing to the minimum necessary for the specified purposes
    • No saving of Atlassian personal data, only anonymized identified like accountId are saved

  6. Regular Audits and Monitoring:

    • Conducting regular internal audits to ensure compliance with security measures
    • Continuous monitoring of systems and networks to identify potential vulnerabilities

  7. Employee Training:

    • Providing regular data protection and security training to employees with access to Customer Personal Data

Schedule 3: Cross-Border Transfer Mechanisms

1. Definitions:

  • EU Standard Contractual Clauses (EU SCCs): Refers to the Standard Contractual Clauses approved by the European Commission under decision 2021/914.
  • UK International Data Transfer Agreement (UK Addendum): Refers to the International Data Transfer Addendum issued by the UK Information Commissioner, Version B1.0.

2. EU Transfers:

Where Customer Personal Data is subject to a Restricted Transfer under the GDPR, the EU SCCs shall apply as follows:

  • Module 2 (Controller to Processor): Applies where the Customer is a Controller and the Provider is a Processor.
  • Module 3 (Processor to Processor): Applies where the Customer is a Processor (on behalf of a third-party Controller) and the Provider is a Processor.
  • Data Exporter: Customer
  • Data Importer: Provider

3. Swiss Transfers:

For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs shall apply with the following modifications:

  • References to "Member State" include Switzerland.
  • The governing law shall be Swiss law, and disputes shall be resolved in Swiss courts.

4. UK Transfers:

For transfers subject to the UK GDPR, the UK Addendum shall apply as follows:

  • The EU SCCs shall be deemed amended as specified by the UK Addendum.
  • References to applicable terms, governing law, and dispute resolution are detailed in this Schedule and associated annexes.

5. Data Privacy Framework:

Transfers of Customer Personal Data to the United States under the EU-U.S., UK-U.S., or Swiss-U.S. Data Privacy Framework shall not constitute a Restricted Transfer, provided the Provider maintains an active certification under the applicable framework.

Schedule 4: Region-Specific Terms

A. California (CCPA/CPRA):

  1. Definitions:

    • Terms such as "business purpose," "service provider," "sell," and "share" have the meanings assigned by the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
    • "Data Subject" includes "consumer" as defined under the CCPA.

  2. Obligations:

    • Customer provides Customer Personal Data for the limited business purposes of fulfilling the Agreement.
    • Provider shall comply with all applicable obligations under the CCPA/CPRA and provide an equivalent level of privacy protection.
    • Provider shall not sell, share, or use Customer Personal Data for any purposes beyond those outlined in the Agreement.
    • Provider shall notify the Customer if it determines it can no longer meet its obligations under the CCPA/CPRA.

B. European Union (GDPR):

Provider shall comply with its obligations under the GDPR, as detailed in this DPA and related schedules.

C. Other Regions:

Additional region-specific terms may apply, subject to applicable data protection laws.

©2025 AITOC, INC dba AgileCCPM. All rights reserved.
Privacy PolicyEULADPASLA